Enacted in 2016, the General Data Protection Regulation (GDPR) is one of the widest-ranging regulations on the planet. As of its establishment, the state of data protection within (and without) Europe has changed drastically. For example, companies spent USD 9 billion in preparation for the law and have since hired 500,000 data protection officers.
The GDPR has also led to the rise of cookieless operating procedures in marketing. Similarly, companies provide GDPR compliance training for employees to best adapt to these regulatory standards.
The changes the law made within the realm of marketing are also notable. Marketing has relied heavily on cookies and data-gathering, but with GDPR this has become an uncertain prospect. Overall, the law has given consumers more say in how their data is distributed and collected. However, this has not come without some shakeups in the world of marketing.
This article will go into how GDPR has impacted digital marketing and communication.
Examining the Internet & Telecommunication Regulation
The letter of the law is rather extensive, but here are the broad strokes of its purpose:
- Consent: Companies ensure that the subject has given consent and provided clear notice prior to data collection, storage, or transfer (article 6 of GDPR).
- Documentation: Companies are to maintain extensive documentation about data usage and storage (article 30 of GDPR).
- Data Erasure: Users are within their right to request the removal of personal data currently in the hands of other entities.
- Data Changes: Users are entitled to changes pertaining to inaccurate information that concerns them.
- Objections: The subject of any data can object to how said data is being utilized (article 28 of GDPR).
While the above measures are part of the agreement, the law also includes specific protective measures and consumers’ consent to the processing. These include assurances that companies comply with:
- The pseudonymisation and encryption/ protection of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
GDPR & Cookies
Another area where the GDPR has been rather notable is in the area of how it deals with cookies. Since cookies carry crucial, identification data, the GDPR restricts many different types of cookie data. However, it does allow for the crucial forms of cookie-gathering contingent on informed consent and the gathering of non-crucial types based on the visitor’s choice.
- First-party cookies — As the name implies, first-party cookies are put on your device directly by the website you are visiting.
- Third-party cookies — These are the cookies that are placed on your device, not by the website you are visiting, but by a third party like an advertiser or an analytic system.
GDPR & Data Tracking with Cookie Types
Cookies collect different types of data and the GDPR has different guidelines for them:
- Strictly necessary cookies — Cookies that are essential for you browsing a website. Can allow access to secure areas. For example, these cookies allow web shops to maintain your cart while you are browsing online. Generally, they are first-party session cookies. Consent is not required for this type but sites should explain what they do and why they are necessary.
- Preferences cookies — AKA “functionality cookies”. These allow a website to remember your choices, such as language preference, region-specific data for weather reports, or your account data for automatical log ins.
- Statistics cookies — Also referred to as “performance cookies”. These collect information about how you use a website, including what areas you visited and which links you clicked on. This data does not allow for user identification and is thus anonymised. The core purpose of it is to improve website functions.
- Marketing cookies — Cookies that track online activity, helping advertisers provide relevant advertising or to keep track of ad plays and preferences. Organizations or advertisers gather these frequently. These are persistent cookies and are almost always 3rd party.
These sets of regulations have also led to the popularity of cookieless targeting and cookieless tracking. Companies as big as Apple have stopped carrying third-party cookies. Advertising without old forms of info-gatherings has opened up new possibilities for advertisers, particularly when it comes to closing the information gaps with AI.
There are quite a few ways to track or target without cookies. Authenticated targeting allows for informed consent using either a pop-up or a data collection form. Such practices can inform the users about how and why data collection occurs. Obviously, under GDPR using the viewer’s GPS is out of the question.
Anonymous targeting is another means of avoiding cookie usage. Additionally, it does not require explicit consent in identifying and tracking users. It applies contextual or aggregated targeting to allow advertisers to target specific audiences anonymously.
Companies also gather a lot of information for consented data mining. It differs in that it lets a company utilize stores of pre-gathered data in large clumps (sometimes even open-source) and then categorize it into useful contexts. While data mining privacy issues also exist, a company’s data stores or publically available ones can be great for predictive analytics.
The GDPR’s impact on marketing is present in many areas. Internet content regulation often means that cookieless targeting and tracking are the future within the EU, and while marketing to EU markets from outside. The biggest change has to be the end of implied consent (the automatic assumption of authorization for data-gathering).
Under GDPR, The law requires consent to be granular, affirmative and freely given. This means that signing up a customer for an email campaign or an SMS campaign requires consent for each individual. Functionally, this requires the use of some consent mechanism, like a checkbox or automated form.
Accordingly, this also means that any consent should be easy to revoke for the customer. The law presses companies to add unsubscribe buttons to their forms and allows the customer to demand thorough information audits. Companies can and should put unsubscribe buttons in the footers of their campaign emails.
Direct Marketing Guidelines
GDPR direct marketing measures impact SMS, text messaging, and email marketing techniques. Direct electronic marketing is currently regulated under the ePrivacy Directive, which generally requires opt-in consent before engaging in such activities.
GDPR B2B Marketing
One might also wish to ask: how does GDPR affect B2B sales or advertising?
Businesses operate as legal entities (aside from sole proprietors). The GDPR classes them as “corporate subscribers”. As a result, B2B direct marketing messages vary from B2C in that sending to corporate email addresses does not require prior consent. However, the senders must identify themselves and provide contact details. The GDPR does apply to the gathering of any personal data within the company.
With some exceptions, the same rules apply regardless of whether the person is an individual or an individual acting in a professional capacity. A business contact or information that contains an individual’s name on a file or their email address (first name.last [email protected]), would belong to a physical person and not the corporate subscriber’s information.
Hopefully, this basic guide clears up some common misconceptions about the GDPR and provided useful information.
If you’re looking for a marketing partner for Europe, Promoguy can provide all kinds of services. We have extensive experience in the region.